Dive into the behind-the-scenes story of the LockerGoga attack that paralyzed Norwegian Hydro. A tale of industrial chaos, heroic resilience, and crucial lessons for OT cybersecurity.
The Brutal Awakening of a Giant
On March 19, 2019, the world of heavy industry trembled. Norwegian Hydro, one of the largest aluminum producers in the world, based in Norway, suddenly found itself thrown back into the Stone Age. Imagine 35,000 employees in 40 countries discovering black screens or, worse, ransom demands in capital letters. This was not a simple office computer glitch, but a digital cardiac arrest affecting both accounting and smelting plants.
The attack was lightning-fast. The control systems of the factories, which manage the melting of aluminum at extreme temperatures, began to lose connection with their control centers. For a giant that produces millions of tons of metal every year, every minute of paralysis translated into hundreds of thousands of euros in losses. Chaos was total, forcing engineers to switch to manual mode to prevent the molten metal from solidifying in the crucibles, which would have caused irreversible damage.
LockerGoga: The Anatomy of a Digital Killer
The culprit was quickly identified: the LockerGoga ransomware. Unlike other viruses that spread randomly like the flu, LockerGoga was deployed with surgical precision after the attackers infiltrated the network via a simple phishing email. Once inside, they used legitimate administrative tools to spread the virus throughout the computer park, like a Trojan horse using the very keys of the fortress.
Technically, LockerGoga is particularly vicious. Not only does it encrypt files, but it also disconnects users from their sessions and changes their passwords, preventing any immediate recovery attempt. It does not try to hide: it destroys the very structure of the company's account management (Active Directory). For experts from the ANSSI, this case remains an absolute reference in terms of compromising global-scale infrastructure.
The Resistance: Paper, Pencils, and Sweat
This is where the story becomes fascinating. Rather than giving in to blackmail and paying the millions demanded, Norwegian Hydro chose total transparency. While their servers were down, they communicated via Facebook and daily press conferences. In the factories, retirees were called back to teach the younger ones how to operate the machines the old way, without software assistance. Old notebooks and faxes were brought out to order raw materials.
This 'analog' resilience saved the company. Although the attack cost more than 60 million euros, Norwegian Hydro gained the respect of the international community for its integrity. They refused to fund cybercrime, preferring to rebuild each server, one by one, from healthy backups. It's a human as much as a technical epic, showing that in the face of malicious code, the human factor remains the last line of defense.
Lessons from a Near-Miss
What lessons can be learned for your own business? First, the strict separation between the office network (IT) and the industrial network (OT) is essential. If a virus enters through an email, it should never be able to reach the production machines. Next, the management of 'offline' backups is your only life insurance. If your backups are connected to the network, the ransomware will devour them first to ensure you have no choice but to pay.
Finally, the story of Norwegian Hydro proves that preparation is key. Having a business continuity plan that anticipates functioning without IT is no longer paranoia, it's a strategic necessity. To learn more about best practices for protecting industrial systems, don't hesitate to consult the official website of Norwegian Hydro, which has shared numerous feedbacks on this unprecedented crisis.